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0 Secure data interchange system. 



0 Systems for interchanging information, for exam- 
ple, obtaining cash from a terminal by use of a 
portable device such as a credit card are well-known 
but suffer from being vulnerable to fraud. In the 
invention a highly secure information interchange 
system is achieved by utilizing an intelligent card (4) 
as the portable device which verifies that the termi- 
nal (3) is a valid one and the terminal in turn verifies 
that the card is valid. Unauthorized users are 
screened out by means of a physical characteristic 
scan of the user such as a finger print which is then 
compared with comparable data stored on the porta- 
ble device (4). If an invalid terminal (3) attempts to 
communicate with the card (4), the card (4) erases 
the data and program from its memory. 
^ All programs and data in the terminal (3) are 
^stored in memory which loses its contents when 
power is interrupted, thus improving the security of 
(vjthe system by making unauthorized use of a termi- 
Cf)nal very difficult. The terminal can only be brought 
— ^back up by authorized personnel with their own 
access portable devices. Both a system and a meth- 
COod are claimed. 
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SECURE DATA INTERCHANGE SYSTEM 



FIELD OF THE INVENTION 

This invention relates generally to a system 
and method of providing information and services 
to a population of persons through portable devices 
which can be used to access any of a number of 
terminals to make use of the services offered at the 
said terminals. The system and method in particu- 
lar provide for security against unauthorized ac- 
cess. The invention has use in the fields of auto- 
matic banking, automatic credit and debit transac- 
tions, passport and travel visa verification, health 
and medical records, security access, licensing 
and any other like field where fraud may pose a 
problem. 

BACKGROUND OF THE INVENTION 

Data transfer systems using portable devices 
such as cards with some memory capability, for 
example, a magnetic strip, and terminals to which 
the portable devices can be connected are well 
known. Generally they are used to control access 
to some area or service. Usually the terminals are 
connected to a central processing unit or computer 
which controls access and is the ultimate storage 
facility for the information on the card. 

British Patent 1504196 to Moreno describes 
such a prior art system comprised of a portable 
device and a peripheral device or terminal which is 
connected to a central computer. Many of the 
portable devices referred to as prior art in Moreno 
used magnetic track memories which could easily 
be modified or the contents read. Also the memory 
storage capacity was quite low and the memory 
was susceptible of accidental modification. This left 
such systems vulnerable to abuse from fraudulent 
intervention. 

United States Patent 3702464 addressed the 
problem of lack of memory capacity and volatility 
by disclosing a portable device containing an in- 
tegrated circuit memory. The device still suffered 
from the problem that the memory could be read 
and the contents extracted or changed. Moreno 
advanced the art by adding inhibiting means to 
prevent the transfer of data out of or into prohibited 
areas of the memory of the portable device. Prefer- 
ably the portable device contained its own inhibit- 
ing means but the inhibiting means could be con- 
tained in the peripheral device. 

In British Patent 1505715 to Moreno there is 
disclosed a system for interchanging information 
which is like those described above, but without the 



error prone direct connections from the periperal 
devices connected to the central computer. The 
peripheral devices contained a write mechanism 
which could transfer the information from the porta- 

5 ble device to the peripheral device which could in 
turn write the information on a second portable 
device. These second portable devices would then 
be collected on some regular basis and taken to 
the central computer where the information would 

jo be transfered to the central computer's memory. 

Canadian Patent 1207460 to Ugon discloses a 
method and apparatus for authorizing access to a 
service offered by an authorizing entity. The sys- 
tem comprises a portable card with memory and a 

is microprocessor, and an authorizing entity system 
capable of communicating with the card and also 
performing computer program operations. The card 
and the system have the same algorithm to be 
executed and each has secret data upon which the 

20 algorithms operate to produce a result which can 
be compared to ensure that proper access is grant- 
ed. This system is rather complicated and involves 
an operator at the authorizing entity end. 

It is also known to encode a fingerprint on a 

25 portable card to verify the identity of the user. UK 
Patent Application GB 2185937 A of O'Shea et al 
discloses a credit or similar card which incorpo- 
rates a computer generated image of the finger- 
print of the authorized user. When a transaction is 

30 to be verified the user's finger print is scanned by 
a finger print reader and the result is compared 
with the information on the card. The user is au- 
thorized to have access if the prints match. Such 
devices are presently commercially available. 

35 The systems described above suffer from the 
problem of complexity or they are susceptible to 
fraudulent and unauthorized access and tampering 
with the information in the card or the terminal. The 
present invention provides an apparatus and meth- 

40 od for providing a highly secure and highly fraud- 
proof system for providing access to services of an 
authorizing entity. 

45 SUMMARY OF THE INVENTION 

The invention provides an improvement over 
previous systems and methods of authorizing ac- 
cess to services in a card-terminal environment by 
so providing for a system of protection and authoriza- 
tion which makes the system highly fraud-proof. 
The system is comprised of a portable device such 
as a card, a peripheral device such as a terminal, 
and optionally, a remote host computer in the case 
of large systems, although it can be seen that the 



2 



3 



EP 0 379 333 A1 



4 



host computer is not necessary for an operational 
system. These components are connected via 
some communication medium such as electrical 
connectors or optics or radio transmission . The 
terminal contains a microprocessor or some such 5 
logic device and memory, a card reading device 
and a finger print scanner. The card contains a 
microprocessor or some such logic device and 
memory, which can be connected to the terminal 
via electronic' or some other means such as optics 10 
or radio transmission. The card and terminal each 
have their own data and programs. Upon insertion 
of the card into the reader a process of verification 
is carried out by means of the microprocessors or 
logic units, the programs and data in the memories. 15 
The card verifies that the terminal is valid, the 
terminal verifies that the card if valid and the user 
is verified by means of a finger print scan and 
comparison with finger print data previously re- 
corded in the card. This is not to say that some 20 
other form of physical characteristic could not be 
used such as retinal or DNA scan. Where data is 
being transmitted between components of the sys- 
tem encoding and decoding is used to further 
enhance the security of the system. 25 

The invention comprises a system for the inter- 
change of information comprising at least one por- 
table electronic device; at least one terminal de- 
vice; communication means connecting the porta- 
ble device with the terminal device; the portable 30 
device containing verification means to verify that 
the terminal device is a valid one; the terminal 
device containing verification means to verify that 
the portable device is a valid one and further 
verification means to verify that the user is au- as 
thorized to use the system; protection means to 
prevent tampering with a terminal and encryption 
means to encode and decode data at the interfaces 
between the portable device and the terminal de- 
vice. 40 

The invention also consists of a method of 
preventing unauthorized access to a system com- 
prised of a plurality of portable devices, a plurality 
of terminal devices and a communication link con- 
necting the said terminal devices to a central host as 
computer wherein the said portable device contains 
information identifying the said portable device as 
well as the authorized user, when the said terminal 
is connected to the said portable device and power 
is supplied to the said portable device the terminal so 
device queries the portable device to determine if it 
is a valid portable device, if not the portable device 
is retained or rejected by the terminal, in turn the 
portable device queries the terminal to determine if 
the terminal is a valid terminal, if not the portable 55 
device erases its memory and becomes harmless, 
the terminal in turn scans a physical characteristic 
of the user and compares that information with 



stored information on the portable device to deter- 
mine if that user is authorized to use the portable 
device and the terminal, if the portable device and 
terminal are valid and the user is authorized access 
is allowed to the service, if not the card is retained 
or rejected; when the power to the terminal is 
interrupted the terminal programs and data are lost 
and can only be reloaded by authorized personnel 
with their access portable devices or from the host 
computer; encryption is used at the portable device 
and terminal interface as well as at the terminal 
and host computer interface. 

BRIEF DESCRIPTION OF THE DRAWINGS 

In drawings which illustrate embodiments of the 
inventions, 

Figure 1 is a pictorial representation of the 
basic system components, including an optional 
host computer 

Figure 2 is a flow chart depicting the dialog 
between the card and the terminal, 

Figure 3 is a block diagram illustrating hard- 
ware configuration. 

DESCRIPTION OF THE PREFERRED EMBODI- 
MENT 

The combining of the capability of an intelligent 
card co-operating with an intelligent terminal, a 
finger print scanning device, and optionally inter- 
facing with a host computer to ensure maximum 
possible protection for a card user and a card 
issuer, is very desirable. In Figure 1 the basic 
hardware configuration needed to implement such 
an idea is set out in pictorial form. The host com- 
puter system 1 can be a personal computer, mini- 
computer, mainframe or any suitable computer 
configuration depending upon the particular ap- 
plication. The host computer system is connected 
to terminal 3 by suitable linkages such as a tele- 
phone line through a modem. It is also possible to 
utilize other linkages such as radio transmission, or 
direct cable or optics. Terminal 3 is described as 
an intelligent terminal and comprises an output 
device such as a display 5. or a voice synthesizer 
or other means of communication with the user, a 
card reader 6 for reading or writing information 
from or to the card 4. It also contains an input 
device 8 such as a keyboard or other means of 
inputting information to the terminal and a finger 
print scanning device 7 or some other device to 
obtain physical information about the user. 

When a user wishes to utilize a card to gain 
access to a service from a terminal, the system 
requires a unique verification procedure to be im- 
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plemented. Upon insertion of the card into the 
terminal, the terminal itself is verified by the card. 
The card is then verified by the terminal and then 
the user's finger print which has been digitized into 
the card at the time of issue is compared with the 
finger print which is submitted via the finger print 
scanning device at the time of use. Additional user 
identification such as a personal identification num- 
ber can also be included. 

If the terminal into which the card is inserted is 
not a valid terminal the card will erase its memory 
rendering itself useless to any would-be unauthoriz- 
ed user. 

An invalid card will be retained by the terminal 
and retrieved by authorized personnel. If the finger 
prints don't match the card is retained, otherwise 
access is granted to the service offered by the 
terminal. 

Figure 2 is a detailed flow chart depicting the 
above sequence of verification. In the preferred 
embodiment the card is an "intelligent card" with 
its own microprocessor or logic unit, memory, data 
and programs. In the preferred embodiment it is 
envisaged that the card will not carry its own power 
supply but will be connected to the terminal's pow- 
er supply when the card is inserted. However, it 
may be preferable in some cases for the card to 
have its own power supply. 

The whole process will start with the card's 
insertion into the terminal reader. 

The verification process, then, shall start on the 
terminal side by generating a question directed to 
the card. On the card side, the checkout is accom- 
plished by simply waiting for a certain period of 
time for the terminal's question. If the question 
does not arrive, the card will destroy all information 
in its memory and become useless. 

If one assumes that the card and the terminal 
are the correct ones, the parallel processing of the 
input question must proceed on both the terminal 
and card sides. On the terminal side, the checking 
of the card is achieved similarly to the card's check 
by waiting for the answer for a certain period of 
time. If the answer does not arrive, the terminal can 
withhold the card or reject it. If the answer does 
arrive it will process it. 

The invention can be configured to use dif- 
ferent types of cards for different applications. For 
example: 

1 ) Passport cards 

2) Credit cards 

3) Security access cards 

4) Licence cards 

5) Debit cards 

Different types of cards would produce dif- 
ferent answers to the initial question. This would be 
the way the terminal recognizes the type of card it 
is dealing with. If the answer from the card arrives 



on time, the terminal would sort the answer to the 
proper application and proceed by checking if the 
answer is correct. In the negative case, it would, 
again, withhold or reject the card. 

5 The next stage is the verification process in 

which identity of the card user is verified. This is 
done through a process of finger print checkout. 
The person's finger prints are scanned and com- 
pared with the template stored on the card. Again, 

io if any attempt is made to read the data from the 
card memory before the finger print verification 
process is completed, the card will destroy its data. 

The card will only allow access to its memory 
after confirmation from the terminal that the user is 

is permitted to use it. 

It is unlikely that the whole verification process 
will take any longer than approximately 25 seconds 
although the timing is not critical. 

It is possible that someone could try to gain 

20 access to the data or the software itself by tamper- 
ing with the terminal. To prevent this, ail terminal 
software could be placed on RAM memory only. 
This way it would be lost immediately if the power 
to the terminal is disrupted. Only a licensed techni- 

25 cian with his own access portable device would be 
able to download new software either from his 
portable device or from the host computer, and 
bring the terminal up again. 

The block diagram of Figure 3 shows the hard- 

30 ware configuration of a preferred embodiment of a 
simple system comprised of only one terminal. The 
host computer system 1 is remotely located from 
the terminal 3. The two are connected by way of a 
telephone line 2 and modems 10a and 10b. The 

35 terminal 3 is composed of a PC-type motherboard 
9, which includes a microprocessor or other logic 
device and memory, an "intelligent card" reader 6. 
a finger print scanner 7, a custom keyboard 8 and 
a display 5. The card reader 6 is adapted to 

40 receive and communicate with the "intelligent 
card" 4. The "intelligent card" typically contains a 
microprocessor or some other logic device and 
memory. Appropriate software and data are stored 
in the terminal 3 and in the "intelligent card" 4 to 

45 enable the verification procedures represented by 
the flow chart of Figure 2 to be carried out. 

"Intelligent cards" are a unique technology uti- 
lizing plastic or some other media in which to 
embed microprocessor or some such logic unit and 

so memory chips. The cards accordingly have both 
memory and processing capabilities. Essentially 
they are pocket sized computer systems with a 
wide range of application possibilities. 

A number of off-the shelf items can be used in 

55 the system. The terminal could use an IBM PC ,m 
motherboard, a Toshiba 1 " 1 FZ1318 card reader and 
an 1DENTIX Touchsave lm T5-500 finger print scan- 
ner. The "intelligent care" could be a Toshiba 
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TOSMART lm CZ-3000. Typically an IBM PC tm 
could be used as the host computer but larger 
more complex systems using many terminals may 
require a larger computer such as a mainframe. 

Interconnections other than telephone lines and 
modems are possible. For example a security sys- 
tem for a building may have dedicated communica- 
tion cables connecting the various terminals to the 
host computer without the use of modems. Also 
radio and optical interconnections are possible. 

Finally to further enhance security an encryp- 
tion technique could be used to encode data be- 
fore transmitting between the host computer and 
the terminal, and decoding upon receipt. Similarly 
encoding and decoding could be used when read- 
ing and writing from and to the "intelligent card". 

A number of changes and modifications appar- 
ent to one skilled in the art can be made without 
departing from the invention. 

Claims 

1. a system for the interchange of information 
comprising at least one portable electronic device; 
at least one terminal device; communication means 
to effect communications between the terminal de- 
vice and the portable device; the portable device 
containing verification means to verify that the ter- 
minal device is a valid one; the terminal device 
containing verification means to verify that the por- 
table device is a valid one and further verification 
means to verify that the user is authorized to use 
the system; protection means to prevent tampering 
with a terminal and encryption means to encode 
and decode data at the interface between the por- 
table device and the terminal device. 

2. The system of Claim 1 wherein the portable 
device contains a microprocessor or similar logic 
device, memory, data transfer means and inter- 
faces to effect communications between the card 
and the terminal. 

3. The system of claim 1 or Claim 2 wherein 
the terminal device contains input means, output 
means, a scanning device for scanning a physical 
characteristic of a user, a card reader, a micropro- 
cessor or other logic unit, memory and data trans- 
fer means. 

4. The system of Claim 3 wherein the input 
means is a keyboard, the output means is a dis- 
play. 

5. The system of any one of Claims 1 to 4 
wherein the communications means comprises a 
telephone line and one or more modems. - 

6. The system of any one of Claims 1 to 5 
wherein the said verification means includes a 
computer program or programs. 

7. The system of any of Claims 1 to 6 wherein 



the said further verification means includes a finger 
print scanner and a computer program or programs 
to compare the information from the scan of the 
user's finger print with prestored finger print in- 
5 formation in the portable electronic device. 

8. The system of any one of Claims 1 to 7 
wherein the protection means includes volatile 
memory which loses its contents when the power 
is interrupted. 

io 9. The system of any one of Claims 1 to 8 
wherein the terminal is connected to a host com- 
puter by further communication means and further 
encryption means. 

10. The system of Claim 9 wherein the further 
75 communication means includes one or more of 

telephone lines and modems, direct cable, and 
radio and optical transmissions, and the further 
encryption means is used to encode and decode 
information at the interface between the terminal 
20 and the host computer. 

11. A secure system for the interchange of 
information comprising a plurality of portable de- 
vices, a plurality of terminal devices, a communica- 
tion link connecting the said terminal devices with a 

25 host computer; such portable electronic device 
comprised of a memory for the storage of data, a 
microprocessor or similar logic unit for the manipu- 
lation of data and data transfer means; the said 
memory containing data which identifies the user 

30 and a program by which the portable device can 
verify that the terminal device is a valid one and to 
effect interchanges of information or if the terminal 
is invalid to erase the memory; the terminal de- 
vices each comprising a microprocessor or similar 

35 logic unit, a memory for the storage of data, a 
program to verify that the card is a valid one, a 
scanning device input and output devices to com- 
municate with the user, a power source and being 
adapted to connect to the portable device so as to 

40 supply power to the portable device when neces- 
sary and to transfer data between the said portable 
device and the said terminal device. 

12. The system of Claim 11 wherein the porta- 
ble device contains its own power supply. 

45 13. A method of providing for secure inter- 

change of information in a portable device - termi- 
nal environment comprising the steps of: the termi- 
nal verifying that the portable device is valid; the 
portable device verifying that the terminal is valid; 

so the terminal obtaining data by a physical char- 
acteristic scan of the user and comparing this data 
to data stored on the user's portable device; using 
encryption means to encode and decode informa- 
tion at interfaces where unauthorized access could 

55 be gained; the portable device erasing its program 
and data if an invalid terminal attempts to commu- 
nicate with it; the terminal keeping or rejecting 
portable devices determined to be invalid or if valid 
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the user is unauthorized; the terminal data and 
program being lost when power is interrupted; and 
the terminal being brought back up after power 
loss only by an authorized person utilizing an ac- 
cess portable device. s 
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